ScreenOS Firewalls (NOT SRX)
Reply
Visitor
gi.giglio
Posts: 7
Registered: ‎02-24-2011
0

VIP on SSG140 dont work

Hello everyone,

 I have a SSG140 with ScreenOS 6.3.0 R6.0
 I restored the factory settings and I using the wizard to created a new configuration.

 The situation is simple:
 192.168.0.X a small network that should be able to surf the internet through a router.
 The two interfaces are eth 0/0 trust 192.168.0.1 Interface Mode: NAT - eth 0/2 Untrusted 10.11.12.2 Interface Mode: Route
 Router 10.11.12.1
 Between the LAN and Router I put the Juniper SSG140.
 It works all, the LAN clients surf the Internet  protected to ssg140.

 Within the LAN address 192.168.0.100 is a server running a proprietary application
 that responds to customer requests on TCP ports 30000, 33001, 35001 and must be reachable from the internet.
 I found plenty of documentation on the subject and all the descriptions on how to configure the SSG140 coincide:
 Create a VIP-Untrusted interface 0 / 2:
 Network> Interfaces> Edit (for ethernet 0 / 2)> VIP: Enter The following address,
 then click Add:
 Virtual IP Address: 10.11.12.5
 Network> Interfaces> Edit (for ethernet 0 / 2)> VIP> New VIP Service: Enter
 the following, then click OK:
 Virtual IP: 10.11.12.5
 Virtual Port: 30000
 Map to Service: Service1 (port 30000, created earlier in the Policy> Policy Elements> Services> Custom)
 Map to IP: 192.168.0.100

 Then I created the policy :

Untrust to trust    ( i have found documentation the say Untrust to global , where is right?)
 Source Address:
 Address Book Entry: (select), ANY
 Destination Address:
 Address Book Entry: (select), VIP (10.11.12.5)
 Service: Service1 (30000)
 Action: Permit

 I have enable the VIP to support multiple-port services, i enter the
 CLI command set vip multi-port, save the configuration, and then reboot the device.

 Done this,
 external clients can not reach the internal server.
 What's wrong?
 Is there any trick or any problem with ScreenOS 6.3.0 R6.0?

 

 I look forward to your own advice.
 Thanks

 Giglio Giuseppe

Contributor
SaffaJay
Posts: 31
Registered: ‎11-18-2010
0

Re: VIP on SSG140 dont work

Hi

 

Is your border router that sits between the firewall and the internet allowing connectivity back to your firewall ?

 

Ta

 

Jude

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: VIP on SSG140 dont work

Hi Gigio,

 

What you've done so far looks correct. There could a few things causing issues here.

 

First, 10.11.12.x is an RFC1918 private address.  You stated that you want your internal network (192.168.0.x) to be able to surf the internet, and you've set your eth0/0 interface into NAT mode.  That will NAT your outgoing requests to the 10.11.12.2 IP from your eth0/2 interface.  That IP is not routable on the internet.  Are you doing another level of NAT somewhere else on the network?

 

Second, what is the subnet mask for your eth0/2 connection to your router?  If it's not /24, then your router might not have a route to your VIP address of 10.11.12.5.

 

To answer your question, creating the policy from untrust to trust is correct.  I recommend that people never modify the global policy unless they have a very specific reason to do so.

 

Third -- a VIP may more more complicated than you need.  If this is going to be a 1-1 public IP to private IP mapping, you could use a MIP, and it makes the configuration easier (in my opinion).  A VIP is primarily used when you have to have a single public IP mapping into multiple internal IPs based on port numbers.

 

Finally, and this relates back to the first point -- your VIP of 10.11.12.5 is again, private address space.  Nothing on the the internet is going to be able to connect to that address.  Again, are you doing another layer of NAT on the network?

 

If you provide a diagram of how your network topology looks it would give us some insight into the issue.  Also, you could post your configuration of your SSG140.  If you continue to have troubles, we can help you run some debugs to see where the traffic is failing, but you'll need to address the points I made above before we go further.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
gi.giglio
Posts: 7
Registered: ‎02-24-2011
0

Re: VIP on SSG140 dont work

[ Edited ]

Hi keithr,

thanks for the reply
I solved the problem by downgrading the ScreenOS
from version 6.3.0 R 6.0 to version 6.2  r 9.0.
Now everything is working correctly.

Do you know if the 6.3 version has problems?
Thanks anyway

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.